b"            OFFICE OF\n     THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n             FOLLOW-UP:\nTHE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S\n  ELECTRONIC MAIL SECURITY REVIEW\n\n       June 2009   A-14-09-19044\n\n\n\n\nAUDIT REPORT\n\x0c                                                      Mis s io n\nBy c o n d u c tin g in d e p e n d e n t a n d o b je c tive a u d its , e va lu a tio n s a n d in ve s tig a tio n s ,\nwe in s p ire p u b lic c o n fid e n c e in th e in te g rity a n d s e c u rity o f S S A\xe2\x80\x99s p ro g ra m s a n d\no p e ra tio n s a n d p ro te c t th e m a g a in s t fra u d , wa s te a n d a b u s e . We p ro vid e tim e ly,\nu s e fu l a n d re lia b le in fo rm a tio n a n d a d vic e to Ad m in is tra tio n o ffic ia ls , Co n g re s s\na n d th e p u b lic .\n\n                                                     Au th o rity\nTh e In s p e c to r Ge n e ra l Ac t c re a te d in d e p e n d e n t a u d it a n d in ve s tig a tive u n its ,\nc a lle d th e Offic e o f In s p e c to r Ge n e ra l (OIG). Th e m is s io n o f th e OIG, a s s p e lle d\no u t in th e Ac t, is to :\n\n   \xef\x81\xad Co n d u c t a n d s u p e rvis e in d e p e n d e n t a n d o b je c tive a u d its a n d\n     in ve s tig a tio n s re la tin g to a g e n c y p ro g ra m s a n d o p e ra tio n s .\n   \xef\x81\xad P ro m o te e c o n o m y, e ffe c tive n e s s , a n d e ffic ie n c y with in th e a g e n c y.\n   \xef\x81\xad P re ve n t a n d d e te c t fra u d , wa s te , a n d a b u s e in a g e n c y p ro g ra m s a n d\n     o p e ra tio n s .\n   \xef\x81\xad Re vie w a n d m a ke re c o m m e n d a tio n s re g a rd in g e xis tin g a n d p ro p o s e d\n     le g is la tio n a n d re g u la tio n s re la tin g to a g e n c y p ro g ra m s a n d o p e ra tio n s .\n   \xef\x81\xad Ke e p th e a g e n c y h e a d a n d th e Co n g re s s fu lly a n d c u rre n tly in fo rm e d o f\n     p ro b le m s in a g e n c y p ro g ra m s a n d o p e ra tio n s .\n\n   To e n s u re o b je c tivity, th e IG Ac t e m p o we rs th e IG with :\n\n   \xef\x81\xad In d e p e n d e n c e to d e te rm in e wh a t re vie ws to p e rfo rm .\n   \xef\x81\xad Ac c e s s to a ll in fo rm a tio n n e c e s s a ry fo r th e re vie ws .\n   \xef\x81\xad Au th o rity to p u b lis h fin d in g s a n d re c o m m e n d a tio n s b a s e d o n th e re vie ws .\n\n                                                       Vis io n\nWe s trive fo r c o n tin u a l im p ro ve m e n t in S S A\xe2\x80\x99s p ro g ra m s , o p e ra tio n s a n d\nm a n a g e m e n t b y p ro a c tive ly s e e kin g n e w wa ys to p re ve n t a n d d e te r fra u d , wa s te\na n d a b u s e . We c o m m it to in te g rity a n d e xc e lle n c e b y s u p p o rtin g a n e n viro n m e n t\nth a t p ro vid e s a va lu a b le p u b lic s e rvic e wh ile e n c o u ra g in g e m p lo ye e d e ve lo p m e n t\na n d re te n tio n a n d fo s te rin g d ive rs ity a n d in n o va tio n .\n\x0c                                              SOCIAL SECURITY\nMEMORANDUM\n\nDate:      June 22, 2009                                                                       Refer To:\n\nTo:        The Commissioner\n\nFrom:      Inspector General\n\nSubject:   Follow-up: The Social Security Administration\xe2\x80\x99s Electronic Mail Security Review\n           (A-14-09-19044)\n\n\n           OBJECTIVE\n\n           Our objective was to determine the extent to which the Social Security Administration\n           (SSA) implemented the recommendations from our September 2006 report, The Social\n           Security Administration\xe2\x80\x99s Electronic Mail Security Review.\n\n           BACKGROUND\n           SSA has identified electronic mail (e-mail) as a critical tool to meet its mission. 1\n           Sensitive data are often sent via e-mail within the Agency as well as to outside entities\n           in accordance with Agency protection of sensitive information policy. 2 Because e-mail\n           is a popular method of exchanging data, it is also a preferred method for hackers to\n           distribute viruses, worms, and spam as well as plan other attacks. The servers that\n           operate an e-mail system are among the most targeted. Attackers insert software into\n           an e-mail that infects the owner\xe2\x80\x99s computer and can propagate to other computers\n           within an organization\xe2\x80\x99s network. 3 It is crucial that organizations protect information\n           sent or received via e-mail from unauthorized use, disclosure, modification, destruction,\n           or exploitation.\n\n           The day-to-day operation of the SSA e-mail system is managed by the Office of\n           Systems\xe2\x80\x99 Electronic Messaging and Groupware Branch (EMGB). The SSA e-mail\n           system is based on, and supported by, Microsoft Outlook software. Microsoft Outlook is\n\n           1\n               Lockheed Martin\xe2\x80\x99s Final Disaster Recovery Business Impact Analysis Report, page 1, April 14, 2004.\n           2\n             SSA\xe2\x80\x99s Information Systems Security Handbook, Chapter 18 requires that \xe2\x80\x9cSensitive data that is to be\n           transmitted in either direction beyond the SSA Network, (i.e., external to the firewall) must be encrypted or\n           otherwise protected as approved by the CISO.\xe2\x80\x9d\n           3\n            National Institute of Standards and Technology (NIST) Special Publication (SP) 800-45, Guidelines on\n           Electronic Mail Security, September 2002, page 1.\n\x0cPage 2 - The Commissioner\n\n\nsupported by Microsoft Exchange Server (ES) 2003. The ES server software is used to\nmanage electronic directories and mailboxes on SSA\xe2\x80\x99s e-mail infrastructure.\n\nOur September 2006 report found weaknesses in the Agency\xe2\x80\x99s e-mail security control\nframework and made nine recommendations to address them. In this review, we\ndetermined the extent to which SSA had implemented the seven recommendations with\nwhich it agreed. We also assessed the feasibility of SSA\xe2\x80\x99s implementation of two\nrecommendations with which it initially disagreed.\n\nTo meet our objective, we examined various SSA policies; reviewed relevant criteria;\ninterviewed SSA personnel; and examined the configuration settings of 17 Microsoft ES\n2003 mailbox servers for compliance with Federal standards and industry best\n          4\npractices. See Appendix B for a detailed discussion of our Scope and Methodology.\n\nRESULTS OF REVIEW\nOur 2006 report contained nine recommendations, of which the Agency agreed with\nseven. In our current review, we found that SSA had fully implemented four of those\nseven recommendations. There were two recommendations that SSA reported as\nimplemented and closed. However, our review showed that, although the Agency had\ntaken some corrective action, the recommendations had not been fully implemented.\nSSA also reported that one recommendation remains open and we confirmed its status.\nAs a result, we believe there are four recommendations that were fully implemented,\ntwo recommendations that were partially implemented and one recommendation that\nremains open.\n\nSSA disagreed with two prior recommendations. One recommendation related to\ndisaster recovery testing and the other to conducting risk assessments. We found that,\nalthough SSA disagreed with the initial recommendation, to include e-mail in the\ndisaster recovery testing, SSA partially implemented this recommendation. However, it\nwas not fully implemented, because the capability to use e-mail for external\ncommunication has not been addressed.\n\n\n\n\n4\n We used NIST recommended standards contained in SP 800-70, Security Configuration Checklists\nProgram for Information Technology (IT) Products, May 26, 2005, to review SSA Microsoft ES 2003\nconfiguration settings. These standards were developed by the Center for Internet Security (CIS). CIS is\na nonprofit enterprise whose mission is to help organizations reduce the risk of business and e-commerce\ndisruptions resulting from inadequate technical security controls.\n\x0cPage 3 - The Commissioner\n\n\nThe Agency continues to disagree with the second recommendation that an appropriate\nrisk assessment be performed on its e-mail system. The Agency believes the Fiscal\nYear (FY) 2006 Agency Enterprise Wide Mainframe and Distributed Network\nTelecommunications Services System (EWAN) risk assessment addressed its e-mail\nsystem. However, this risk assessment did not assess the impact of the migration of\nthe e-mail infrastructure to the Microsoft ES server 2003 platform during and after our\n2006 review. Further, the SSA e-mail system has begun migration to the Microsoft ES\n2007 platform, with full migration planned sometime in FY 2010. Since e-mail has not\nundergone risk assessments that account for significant changes to its infrastructure,\nSSA cannot ensure all risks have been identified and the system is secure.\n\nIt should be noted that while verifying the implementation of a prior recommendation,\n                                                                                   5\nwe found additional configuration settings that did not comply with NIST guidance. In\naddition, an incident occurred where an e-mail administrator ignored system controls\nand assigned a contractor an e-mail account that already belonged to an employee.\nThe administrator then removed the employee\xe2\x80\x99s account without contacting the\nappropriate component security officer. As a result of these newly identified issues, this\nreport contains two new recommendations.\n\nFULLY IMPLEMENTED RECOMMENDATIONS\n\n    Recommendation 1: Ensure that incorrect configuration settings found during our\nreview are corrected.\n\nSSA agreed and stated that all incorrect configuration settings identified during the\n2006 review had been corrected. Our current testing of servers previously identified\nwith incorrect configuration settings showed that those incorrect settings were\ncorrected. We concluded this recommendation had been implemented.\n\nAlthough the original incorrect configuration settings were addressed, we found\nadditional noncompliant configuration settings. Our current testing found that each of\nthe 17 servers tested (including 3 servers from our prior review) had at least\n3 configuration settings that did not comply with NIST guidance. For example, some\nservers had settings that\n\xe2\x80\xa2     allowed anonymous access;\n\xe2\x80\xa2     did not set storage limits for public folders;\n\xe2\x80\xa2     were configured in a manner that did not protect the e-mail transmitted through the\n      relay service;\n\xe2\x80\xa2     were configured in a manner that bypassed global policy involving the message size\n      of e-mail sent and received; and\n\xe2\x80\xa2     were configured in a manner that resulted in settings that require independent rather\n      than global management of the servers.\n\n5\n    CIS, CIS Exchange Server 2003 Benchmark Version 1, revised October 29, 2007.\n\x0cPage 4 - The Commissioner\n\n\n\nThe existence of these noncompliant configuration settings places SSA at-risk for\n\n\xe2\x80\xa2   inability of users to correctly authenticate access to public folders;\n\xe2\x80\xa2   public folder storage controls to be ignored;\n\xe2\x80\xa2   spammers hijacking and using relays for their own purposes;\n\xe2\x80\xa2   user noncompliance with operational policies and procedures; and\n\xe2\x80\xa2   inefficient management, excessive use of resources, and a more complex e-mail\n    infrastructure than is necessary.\n\nWe shared these results with Agency staff who have begun addressing the\nnoncompliant settings. We recommend SSA ensure e-mail server settings are\nconfigured correctly and in accordance with NIST guidelines.\n\n    Recommendation 4: Inform employees of their responsibility to secure information\nretrieved through Outlook Web Access (OWA) or the system used to access OWA.\n\nSSA agreed and stated it had updated the message sent to OWA-enabled users to\ninclude Internet links to the SSA OWA Security and Usage Notice. Our current review\nfound that the OWA webpage contained such a link. We concluded this\nrecommendation had been fully implemented.\n\n   Recommendation 7: Update SSA\xe2\x80\x99s e-mail retention policy in the Information\nSystems Security Handbook (ISSH) and notify employees of the retention policies and\nwhere to find them.\n\nSSA agreed and responded the ISSH was revised and no longer referenced e-mail\nretention policy but instead referred readers to the retention policy found on the Center\nfor Records Management Intranet website. Our review of the current ISSH chapter 8\nconfirmed the ISSH was updated to refer employees to the appropriate source for the\nAgency\xe2\x80\x99s e-mail retention policy. We concluded this recommendation had been fully\nimplemented.\n\n   Recommendation 9: Increase efforts to inform employees of the capabilities of the\nAgency\xe2\x80\x99s content filtering tools and post the content-filtering information in an\naccessible area.\n\nSSA agreed with this recommendation and responded that it had updated content-\nfiltering documentation on the appropriate SSA website. When this recommendation\nwas initially made, SSA employees controlled the use of content filtering tools to\nmanage their own e-mail accounts. The intent of the original recommendation was to\nprovide employees with additional information to better maintain, control, and secure\ne-mail accounts. After our initial review, EMGB decided to centrally administer and\nmaintain content filtering tools to control the type, size, frequency, and content of e-mail\n\x0cPage 5 - The Commissioner\n\n\nsent and received by SSA employees. As the intent of our original recommendation\nhas been met, we concluded this recommendation had been fully implemented.\n\nRECOMMENDATIONS SSA AGREED WITH AND CLOSED, BUT WE DETERMINED\nWERE NOT FULLY IMPLEMENTED\n\n   Recommendation 2: Develop and document SSA\xe2\x80\x99s Microsoft ES 2003\nConfiguration Guide for e-mail settings in accordance with the NIST-recommended\nstandards.\n\nSSA agreed with our recommendation. In its response to our 2006 report, SSA\nindicated that it had begun developing and documenting the Microsoft ES 2003\nConfiguration Guide as part of its Exchange 2003 Hardening Security guidelines. Our\ncurrent review found only a reference to those guidelines in an Agency document. 6 We\nconcluded the Agency had not developed and documented its own Microsoft ES 2003\nConfiguration Guide.\n\nDuring our current review, a procedural issue occurred where an SSA e-mail\nadministrator incorrectly assigned the same e-mail account to an SSA contractor that\nwas already assigned to an employee in another component. In addition, the\nadministrator inappropriately removed the employee\xe2\x80\x99s e-mail account. As a control, the\ne-mail system generates an alert when a name is already assigned to an e-mail\naccount. This control was ignored, and the e-mail account was assigned to a contractor\nwithout contacting the appropriate component security officer. While it appears that\nsensitive information may not have been disclosed in this instance, system\nadministrators in a number of components had to spend significant time to resolve this\nmatter. The configuration guidelines need to be finalized and include compliance with\nthe least-privilege administrative access criteria, as well as, document the appropriate\nprocedures for an administrator to follow. Additionally, since this employee was in a\ndifferent component from the administrator, the policy should require that the\nadministrator contact the component security officer before removing an account.\n\nSSA\xe2\x80\x99s failure to update and use its own server security guidelines unnecessarily places\nthe Agency at-risk of potentially allowing security controls to be minimized and/or\ncompromised. We concluded that this recommendation had not been fully\nimplemented.\n\n   Recommendation 3: Monitor Microsoft ES 2003 servers on a continuous basis for\ncompliance with SSA's Microsoft ES 2003 Configuration Guide.\n\nSSA agreed with this recommendation. In SSA\xe2\x80\x99s response to our 2006 report, the\nAgency indicated that server configuration audits would be conducted after the\nmigration to the Microsoft ES 2003 platform was completed on March 15, 2008 and\nclosed this recommendation. We found the Agency used software to monitor Microsoft\n6\n How to Build a Windows 2003 Exchange Server for Remote Operations Communication Center (ROCC),\nRevision 2.02, dated January 2004, page 84.\n\x0cPage 6 - The Commissioner\n\n\nproducts and periodically reviewed/audited some servers. However, the software did\nnot continually monitor Microsoft mailbox servers for compliance with the Microsoft ES\n2003 Guide, and the reviews/audits conducted provided only a snapshot result when\nthe servers were reviewed. Failure to continuously monitor mailbox servers for\ncompliance with security guidelines may allow the introduction of server settings that\ncould negatively impact the operability, functionality, and security of the e-mail\ninfrastructure.\n\nAccording to SSA, the capability to meet this recommendation may be available when\nthe Agency migrates to the Microsoft ES 2007 platform. SSA began this migration in\nApril 2009. We therefore conclude that this recommendation has not been fully\nimplemented.\n\nOPEN RECOMMENDATION\n\n   Recommendation 8: Determine the feasibility of extending the e-mail retention\nperiod beyond 14 days as the Agency examines an e-mail archiving solution.\n\nSSA agreed with this recommendation and responded as follows.\n\n\xe2\x80\xa2   Increasing the retention period from 14 to 30 days is feasible.\n\xe2\x80\xa2   This will require several months to implement.\n\xe2\x80\xa2   EMGB is reviewing e-mail archiving products.\n\xe2\x80\xa2   All Exchange servers will be migrated to Microsoft ES 2003 platform by April 2008.\n\nDuring the current review, EMGB personnel indicated this issue will be partially\naddressed when the Agency migrates to the Microsoft ES 2007 server platform and\nfully addressed when the Agency obtains additional storage capacity. Until addressed,\nthe Agency is at-risk that messages deleted after 14 days contain information that could\nbe useful in fraud investigations, and Agency employee sanction activities may be\npermanently lost. According to SSA, this recommendation is open. We agree that this\nrecommendation has not been implemented and remains open.\n\x0cPage 7 - The Commissioner\n\n\nPRIOR RECOMMENDATIONS WITH WHICH SSA DID NOT AGREE\n\n    Recommendation 5: Develop, document, and test the recovery/failover capability\nfor the e-mail messaging infrastructure, including both internal and external e-mail\ncommunications.\n\nThe Agency disagreed with this recommendation and responded that e-mail is tested in\nthe annual disaster recovery exercise (DRE) as part of the EWAN. While our current\nreview found SSA tested elements of e-mail as part of the FY 2008 DRE and as part of\na 2007 monthly DRE conducted for the ROCCs, the testing did not include external\ne-mail communications. As a result, SSA still cannot ensure the continuity of\noperations with respect to e-mail. We continue to believe that the Agency\xe2\x80\x99s reliance on\ne-mail, as a critical tool to meet its mission, warrants taking the necessary precautions\nto ensure continued e-mail communications. Therefore, we reaffirm our original\nrecommendation that SSA develop, document, and test the recovery/failover capability\nfor the electronic messaging infrastructure to include external as well as internal e-mail\ncommunications. According to Agency personnel, this recommendation will be\naddressed when the co-processing center becomes operational.\n\n       Recommendation 6: Ensure appropriate risk assessments are performed on\nthe entire e-mail system comprised of SSA\xe2\x80\x99s Microsoft ES 2003 environment, the OWA\nsystem and the e-mail security structure.\n\nSSA disagreed with this recommendation and commented that e-mail and OWA reside\non the EWAN platform, and the 2006 EWAN risk assessment sufficiently addressed\nthis issue. According to Office of Management and Budget (OMB) Circular A-130,\nAppendix III, agencies are required to review the security controls in each system when\nsignificant modifications are made to the system. 7 Further, the security control review\nshould be conducted using a risk assessment methodology. 8 SSA\xe2\x80\x99s e-mail system\nmigrated to the Microsoft ES 2003 platform in March 2008. In addition, the SSA e-mail\nsystem has begun migration to the Microsoft ES 2007 platform with full migration\nplanned in FY 2010. Since e-mail has not undergone a risk-based review to determine\nthe impact these migrations will have on the e-mail infrastructure, SSA cannot ensure\nall risks have been identified and the system is secure. Therefore, we reaffirm our\noriginal recommendation that SSA ensure appropriate risk assessments are performed\non the entire e-mail system comprised of SSA\xe2\x80\x99s Microsoft ES 2003 and 2007 platforms,\nthe OWA system, and the e-mail security structure. According to Agency personnel,\nSSA plans to conduct a risk assessment of the entire e-mail system in FY 2010.\n\n\n\n\n7\n  OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources, section\nA.3.a.3, Review of Security Controls, states, in part, \xe2\x80\x9cReview the security controls in each system when\nsignificant modifications are made to the system, but at least every three years.\xe2\x80\x9d\n8\n NIST SP 800-30, Risk Management Guide for Information Technology Systems, July 2002, Chapter 3,\nRisk Assessment.\n\x0cPage 8 - The Commissioner\n\n\nCONCLUSION AND RECOMMENDATIONS\nOur initial review contained nine recommendations, of which the Agency agreed with\nseven. For these seven recommendations, we determined four were fully implemented,\ntwo were not fully implemented and one was not addressed.\n\nWe encourage SSA to continue its efforts to take corrective action on\nRecommendation 8 from our original report. We believe the implementation of a\nlong-term e-mail archiving solution has become even more crucial. Current events\ndemonstrate the potential significant impact that e-mail could play, in the form of\nevidence, or as an official document, in investigative and employee sanction activities.\nThe E-Government Act 9 and NIST SP 800-45 10 collectively indicate that an effective\nand efficient e-mail security management program includes ensuring confidentiality,\navailability, and integrity of information system resources. Such a program is\npredicated on the development, maintenance, and implementation of policies and\nprocedures with continuous monitoring to ensure their compliance. Implementing these\nrecommendations would help ensure that SSA has standards and guidelines to further\nstrengthen the infrastructure SSA has established for a sound e-mail security\nmanagement program.\n\nBecause we found additional noncompliant configuration settings and an existing\nemployee\xe2\x80\x99s inappropriately administered e-mail account, we are making two new\nrecommendations that SSA:\n\n1.   Ensure e-mail server settings are configured correctly in accordance with NIST\n     recommended standards.\n\n2.   Ensure the policies and procedures require compliance with least-privilege\n     administrative access and appropriate chain of command approvals for e-mail\n     account assignment.\n\n\n\n\n9\n  The E-Government Act of 2002, Pub. L. No. 107-347, Title III, Section 301(b)(1), Information Security\nSec. 3541: states in part that \xe2\x80\x9c\xe2\x80\xa6The purposes of this subchapter are to-- (1) provide a comprehensive\nframework for ensuring the effectiveness of information security controls over information resources,\xe2\x80\x9d and\nSec. 3542(b)(1) defines \xe2\x80\x98information security\xe2\x80\x99 as \xe2\x80\x9cprotecting information and information systems from\nunauthorized access, use, disclosure, disruption, modification, or destruction in order to provide\xe2\x80\x94\n(A) integrity\xe2\x80\xa6; (B) confidentiality\xe2\x80\xa6; and (C) availability...\xe2\x80\x9d\n10\n  NIST SP 800-45, version 2, Guidelines on Electronic Mail Security, Chapter 4, sub-section 4.3 states in\npart that \xe2\x80\x9cAppropriate management practices are critical to operating and maintaining a secure mail\nserver. \xe2\x80\x9cSecurity practices entail the identification of an organization\xe2\x80\x99s information system assets and the\ndevelopment, documentation, and implementation of policies, standards, procedures, and guidelines that\nensure confidentiality, integrity, and availability of information system resources.\xe2\x80\x9d\n\x0cPage 9 - The Commissioner\n\n\nBecause the Agency closed two recommendations that we believe have not been\nimplemented, we recommend that SSA:\n\n3.   Develop and document an SSA Microsoft Exchange Server Configuration Guide 11\n     for e-mail settings in accordance with NIST recommended standards.\n\n4.   Continually monitor servers for compliance with SSA's Microsoft Exchange Server\n     Configuration Guide.\n\nWith respect to the two original recommendations with which SSA disagreed, we\nreaffirm our recommendations that SSA:\n\n5.   Develop, document, and test the recovery/failover capability for the e-mail\n     messaging infrastructure, to include external as well as internal e-mail\n     communications.\n\n6.   Ensure appropriate risk assessments are performed on the entire e-mail system\n     comprised of SSA\xe2\x80\x99s Microsoft ES 2003 and 2007 environments, the OWA system,\n     and the e-mail security structure.\n\nAGENCY COMMENTS\nSSA agreed with our recommendations. The Agency\xe2\x80\x99s comments are included in\nAppendix C.\n\n\n\n\n                                                     Patrick P. O\xe2\x80\x99Carroll, Jr.\n\n\n\n\n11\n  SSA servers will operate in a \xe2\x80\x98mixed mode\xe2\x80\x99 environment, including both 2003 and 2007 platform\nservers. It is necessary that guides for both platforms be developed and used until such a time as only\n2007 servers exist.\n\x0c                                     Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\nAPPENDIX C \xe2\x80\x93 Agency Comments\nAPPENDIX D \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                          Appendix A\n\nAcronyms\nCIS      Center for Internet Security\nDRE      Disaster Recovery Exercise\ne-mail   Electronic mail\nEMGB     Electronic Messaging and Groupware Branch\nES       Exchange Server\nEWAN     Enterprise Wide Mainframe and Distributed Network\n         Telecommunications Services System\nFY       Fiscal Year\nISSH     Information Systems Security Handbook\nIT       Information Technology\nNIST     National Institute of Standards and Technology\nOMB      Office of Management and Budget\nOWA      Outlook Web Access\nROCC     Remote Operations Communication Center\nSP       Special Publication\nSSA      Social Security Administration\n\x0c                                                                                 Appendix B\n\nScope and Methodology\nOur objective was to determine the extent to which the Social Security Administration\n(SSA) implemented the recommendations in our September 2006 report, The Social\nSecurity Administration\xe2\x80\x99s Electronic Mail Security Review.\n\nTo meet our objectives, we\n\xe2\x80\xa2   documented and examined the prior report and various audit work papers;\n\xe2\x80\xa2   interviewed SSA personnel involved with addressing the prior recommendations;\n\xe2\x80\xa2   documented and examined evidence of the status of all prior recommendations; and\n\xe2\x80\xa2   examined various SSA policies regarding the use of its electronic mail system.\n\nIn addition, we reviewed 95 configuration settings on each of the 17 Microsoft\nExchange Server 2003 mailbox servers tested. We reviewed two servers from each of\nthe six Regional Operations Control Centers (Birmingham, Chicago, Kansas City, New\nYork, Philadelphia, and San Francisco) and Headquarters. We also reviewed the\nOffice of the Inspector General mailbox server and two servers that contained incorrect\nconfiguration settings from the prior review.\n\nWe examined these servers for compliance with Federal standards and guidelines\ncontained in the National Institute of Standards and Technology (NIST) Special\n                     1\nPublication 800-70. The NIST program is in cooperation with checklist development\nactivities at the Defense Information Systems Agency, the National Security Agency,\nand the Center for Internet Security.\n\nWe conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the\naudit to obtain sufficient, appropriate evidence to provide a reasonable basis for our\nfindings and conclusions based on our audit objectives. We believe the evidence\nobtained provides a reasonable basis for our findings and conclusions based on our\naudit objectives. We conducted our field work at SSA Headquarters in Baltimore,\nMaryland, from October 2008 through February 2009. The audited entities were the\nOffice of System\xe2\x80\x99s Electronic Messaging and Groupware Branch, and the Office of\nPolicy.\n\n\n\n\n1\n  NIST Special Publication 800-70, Security Configuration Checklists Program for Information Technology\n(IT) Products, May 26, 2005.\n\x0c                  Appendix C\n\nAgency Comments\n\x0c                                          SOCIAL SECURITY\n\nMEMORANDUM\n\n\nDate:      May 26, 2009                                                             Refer To:   S1J-3\n\nTo:        Patrick P. O'Carroll, Jr.\n           Inspector General\n\nFrom:      James A. Winn /s/\n           Chief of Staff\n\nSubject:   Office of the Inspector General (OIG) Draft Report, \xe2\x80\x9cFollow-up: The Social Security\n           Administration\xe2\x80\x99s Electronic Mail Security Review\xe2\x80\x9d (A-14-09-19044)--INFORMATION\n\n           Thank you for the opportunity to review and comment on the draft report. We appreciate the\n           comprehensive work that the OIG auditing team did on this report. Our response to the report\n           findings and recommendations is attached.\n\n           Please let me know if we can be of further assistance. Please direct staff inquiries to\n           Candace Skurnik, Director, Audit Management and Liaison Staff, at (410) 965-4636.\n\n\n           Attachment\n\n\n\n\n                                                           C-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL DRAFT REPORT,\n\xe2\x80\x9cFOLLOW-UP: THE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S ELECTRONIC MAIL\nSECURITY REVIEW\xe2\x80\x9d (A-14-09-19044)\n\nRecommendation 1\n\nCorrectly configure e-mail server settings in accordance with the National Institute of Standards\nand Technology (NIST) recommended standards.\n\nComment\n\nWe agree. The audit process is on-going and we continue to move forward. We have an internal\naudit process in place for all existing Exchange servers. Thus, we can meet the suggested 2-year\nrequirement.\n\nRecommendation 2\n\nEnsure the policies and procedures require compliance with least-privilege administrative access\nand appropriate chain of command approvals for e-mail account assignment.\n\nComment\n\nWe agree. We are accomplishing this with our existing Exchange infrastructure. We have\nupdated our current procedures to ensure we correctly assign all Exchange mailboxes to the\naccurate Active Directory accounts. In anticipating the upcoming infrastructural changes in\nExchange at the server and client levels, including the hardware refresh and the anticipated\nVISSA image, we anticipate meeting this particular requirement within the next 2 years.\n\nRecommendation 3\n\nDevelop and document a Social Security Administration (SSA) Microsoft Exchange Server\nConfiguration Guide for e-mail settings in accordance with NIST recommended standards.\n\nComment\n\nWe agree. We are currently creating new build documentation for Exchange 2007 environment.\nWe will address NIST guidelines where essential. In anticipation of the upcoming hardware\nrefresh, infrastructural changes in Exchange, and Outlook and the anticipated VISSA image, we\nforesee meeting this particular requirement within next 2 years, provided we meet all the\ndependencies.\n\n\n\n\n                                               C-2\n\x0cRecommendation 4\n\nContinually monitor servers for compliance with SSA's Microsoft Exchange Server\nConfiguration Guide.\n\nComment\n\nWe agree. We are already accomplishing this with our current infrastructure. With the\nupcoming new Exchange configuration on new 64-bit hardware, we expect to meet this\nrequirement within the next 2 years.\n\nRecommendation 5\n\nDevelop, document, and test the recovery/failover capability for the e-mail messaging\ninfrastructure, to include external as well as internal e-mail communications.\n\nComment\n\nWe agree. The Durham Support Center (DSC) will mitigate this recommendation, as there will\nbe redundant Internet and e-mail services available from both the National Computer Center and\nthe DSC. We look forward to establishing failover for Internal and Internet mail delivery once\nthe Exchange servers and internet mail-hubs are completely installed and functional at the DSC.\nIf we meet all pre-requisites, we expect to complete this process in the year 2011.\n\nRecommendation 6\n\nEnsure that SSA staff appropriate risk assessments on the entire e-mail system comprised of\nSSA\xe2\x80\x99s Microsoft ES 2003 and 2007 environments, the Outlook Web Access (OWA) system and\nthe e-mail security structure.\n\nComment\nWe agree with this recommendation. We access risks as part of the certification and\naccreditation (C&A) process. The e-mail and OWA reside on the Enterprise Wide Mainframe\nand Distributed Network Telecommunications Services System (EWAN) platform. Currently,\nEWAN is undergoing C&A cycle and the email infrastructure is included in that process, which\nincludes a control testing and a risk assessment. In short, the C&A process is a review of\npolicies, procedures, controls, and contingency planning. The outcome of the C&A process is to\nput together a collection of documents that describe the security posture of the systems, an\nevaluation of the risks, and recommendations for correcting deficiencies.\n\n\n[In addition to the information listed above, SSA also provided technical comments\nwhich have been addressed, where appropriate, in this report.]\n\n\n                                              C-3\n\x0c                                                                     Appendix D\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Phil Rogofsky, Acting Director, Information Technology Audit Division\n\n   Mary Ellen Moyer, Acting Audit Manager\n\nAcknowledgments\n\nIn addition to those named above:\n\n   Harold Hunter, Senior Auditor\n\n   Jan Kowalewski, Systems Analyst\n\n   Michael Zimmerman, Auditor\n\nFor additional copies of this report, please visit our web site at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Staff Assistant at (410) 965-4518. Refer to Common Identification Number\nA-14-09-19044.\n\x0c                           DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Committee on the Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Oversight and Government\nReform\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security Pensions\nand Family Policy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c                         Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations\n(OI), Office of the Counsel to the Inspector General (OCIG), Office of External Relations (OER), and Office of\nTechnology and Resource Management (OTRM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, the OIG also has a comprehensive Professional Responsibility and Quality\nAssurance program.\n                                                 Office of Audit\nOA conducts financial and performance audits of the Social Security Administration\xe2\x80\x99s (SSA) programs and\noperations and makes recommendations to ensure program objectives are achieved effectively and efficiently.\nFinancial audits assess whether SSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of\noperations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s\nprograms and operations. OA also conducts short-term management reviews and program evaluations on issues\nof concern to SSA, Congress, and the general public.\n                                           Office of Investigations\nOI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations.\nThis includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing\ntheir official duties. This office serves as liaison to the Department of Justice on all matters relating to the\ninvestigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State,\nand local law enforcement agencies.\n                            Office of the Counsel to the Inspector General\nOCIG provides independent legal advice and counsel to the IG on various matters, including statutes,\nregulations, legislation, and policy directives. OCIG also advises the IG on investigative procedures and\ntechniques, as well as on legal implications and conclusions to be drawn from audit and investigative material.\nAlso, OCCIG administers the Civil Monetary Penalty program.\n                                        Office of External Relations\nOER manages OIG\xe2\x80\x99s external and public affairs programs, and serves as the principal advisor on news releases\nand in providing information to the various news reporting services. OER develops OIG\xe2\x80\x99s media and public\ninformation policies, directs OIG\xe2\x80\x99s external and public affairs programs, and serves as the primary contact for\nthose seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal\nand external organizations, and responds to Congressional correspondence.\n                          Office of Technology and Resource Management\nOTRM supports OIG by providing information management and systems security. OTRM also coordinates\nOIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the\nfocal point for OIG\xe2\x80\x99s strategic planning function, and the development and monitoring of performance\nmeasures. In addition, OTRM receives and assigns for action allegations of criminal and administrative\nviolations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides\ntechnological assistance to investigations.\n\x0c"